Sourceforge Hijacks GIMP and Nmap with Trojans

Sourceforge has been found to be hijacking orphaned open source projects and adding malware to their repositories. Notable victims of this practice are the popular GIMP and Nmap accounts, using them to distribute third-party “bundle-ware” installers. GIMP fell victim to this scheme last week, and now Nmap has been “adopted” by Sourceforge, as Gordon “Fyodor” Lyon, creator of Nmap, reports:

Hi Folks! You may have already read the recent news about Sourceforge.net hijacking the GIMP project account to distribute adware/malware. Previously GIMP used this Sourceforge account to distribute their Windows installer, but they quit after Sourceforge started tricking users with fake download buttons which lead to malware rather than GIMP. Then Sourceforge took over GIMP’s account and began distributing a trojan installer which tries to trick users into installing various malware and adware before actually installing GIMP. Of course this goes directly against Sourceforge’s promise less than two years ago:

“we want to reassure you that we will NEVER bundle offers with any project without the developers consent”

Fyodor asks Sourceforge to remove the hijacked Nmap page, and reminds users to only download Nmap from the official SSL Nmap website.

Sourceforge later responded to the controversy, issuing the following statement:

“In an effort to address a number of concerns we have been hearing from the media and community at large, we at SourceForge would like to note that we have stopped presenting third party offers for unmaintained SourceForge projects.”